99a9b42aadea2737bce25dbe3fdef11fc18d43beab92d3666986be9435b1d7ba

Analysis

max time kernel
114s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Size

1.3MB
MD5

1e51fc2cc100ddb51b869c6ff81db7d0
SHA1

908ddc25bbd2e0f9431dd70c3b0a75ed249d69f5
SHA256

99a9b42aadea2737bce25dbe3fdef11fc18d43beab92d3666986be9435b1d7ba
SHA512

b2a6a7676368ab9d68574bc6329259cdc1b0da54a9b69df053eb0ab587f0b51836d969baf22642e9e1905aeb75779f5c04d30943fb512279dd5c517a84ee3712
SSDEEP

24576:2wCZiJyQ5Q+h5Abc628M1U7WC6GZj2h6rk+0bEYzm+tHrNX6ndlRFdgmeFJ:hCZki4D8RWNGBNbOEEm+tHV6rRFdgmeT

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\W:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\X:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\A:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\Q:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\T:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\Y:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\Z:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\B:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\G:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\H:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\I:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\J:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\K:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\L:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\M:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\E:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\S:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\U:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\V:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\O:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\R:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File opened (read-only)	\??\N:	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\trambling voyeur .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lesbian hot (!) .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish fetish xxx masturbation .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\System32\DriverStore\Temp\horse masturbation cock .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\american horse fucking hot (!) .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish action sperm lesbian .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\xxx hidden .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian gang bang horse masturbation hole redhair .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian cumshot lesbian hot (!) traffic .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish fetish beast [milf] sweet .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\hardcore catfight .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking masturbation (Samantha).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish gang bang gay catfight feet 40+ (Karin).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\beast girls cock .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\horse girls wifey .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\horse sleeping .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fucking girls latex .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\swedish nude blowjob [milf] leather .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\dotnet\shared\trambling hot (!) (Curtney).avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie girls (Curtney).mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\sperm [free] black hairunshaved .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Google\Temp\american animal lingerie public girly .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\black gang bang sperm [milf] leather (Sonja,Sylvia).zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\xxx [free] wifey .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lingerie several models stockings .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish nude sperm lesbian (Liz).rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gay voyeur \Û .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\swedish gang bang lingerie hot (!) (Sylvia).mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\japanese nude hardcore licking .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\black handjob beast girls feet bedroom .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\asian horse licking glans .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\sperm hot (!) hotel (Sonja,Karin).avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob uncut glans .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\security\templates\fucking lesbian cock bedroom .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\swedish kicking lingerie [free] titts .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\animal gay catfight .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\tyrkish handjob sperm several models glans .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\canadian horse catfight .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\spanish lesbian [milf] ash .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\malaysia bukkake masturbation sm .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian action lesbian lesbian titts .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\indian kicking trambling public cock .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\russian animal bukkake voyeur glans black hairunshaved .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\fetish horse [milf] cock (Anniston,Liz).avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\animal hardcore [free] stockings (Ashley,Curtney).rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\italian animal trambling girls gorgeoushorny .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\canadian trambling several models 40+ .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\horse fucking licking stockings (Anniston,Samantha).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\mssrv.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\assembly\temp\italian kicking blowjob girls (Curtney).rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\american cum horse [milf] hole girly (Tatjana).rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\asian lesbian girls .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\malaysia sperm sleeping .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\french lingerie sleeping (Jade).zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\trambling voyeur glans lady .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\spanish horse [bangbus] (Sarah).mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\italian handjob bukkake [bangbus] stockings .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\spanish sperm lesbian feet .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\sperm hot (!) hole .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\american handjob fucking hot (!) .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian animal gay sleeping boots .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\Downloaded Program Files\japanese porn trambling voyeur titts shoes .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\PLA\Templates\italian gang bang fucking voyeur cock .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\beastiality beast sleeping titts lady .zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\japanese kicking hardcore voyeur .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\german trambling big castration .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\sperm catfight femdom .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\sperm sleeping (Sarah).avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\fucking girls 40+ .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\hardcore licking titts granny .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\malaysia horse lesbian cock .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\tyrkish porn lesbian hidden circumcision .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\xxx hidden titts bedroom .avi.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\brasilian nude lesbian masturbation cock .rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lesbian full movie gorgeoushorny .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\japanese cum lingerie hidden beautyfull .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\lesbian [milf] glans sm (Curtney).zip.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\beast sleeping glans .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\SoftwareDistribution\Download\american porn hardcore lesbian hole stockings (Janette).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\malaysia bukkake hot (!) (Samantha).rar.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\indian animal xxx big hole sweet (Sylvia).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\danish handjob trambling [free] glans beautyfull (Melissa).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\asian fucking hot (!) hole ejaculation (Melissa).mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\gay big .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\kicking lesbian full movie .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\fetish lesbian public (Sarah).mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\xxx uncut fishy .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\assembly\tmp\tyrkish kicking xxx [free] balls .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\InputMethod\SHARED\bukkake [bangbus] .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\action horse catfight .mpg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\lingerie uncut hole .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\CbsTemp\brasilian gang bang beast [milf] hole hotel (Liz).mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\russian porn bukkake lesbian beautyfull .mpeg.exe	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3892	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3892	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4364	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4364	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
628	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
628	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2720	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2720	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4256	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4256	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2308	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2308	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4352	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
4352	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2584	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2584	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe
940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3820	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	87
PID 3556 wrote to memory of 3820	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	87
PID 3556 wrote to memory of 3820	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	87
PID 3820 wrote to memory of 2472	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	88
PID 3820 wrote to memory of 2472	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	88
PID 3820 wrote to memory of 2472	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	88
PID 3556 wrote to memory of 1668	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	89
PID 3556 wrote to memory of 1668	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	89
PID 3556 wrote to memory of 1668	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	89
PID 3820 wrote to memory of 1192	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	94
PID 3820 wrote to memory of 1192	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	94
PID 3820 wrote to memory of 1192	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	94
PID 3556 wrote to memory of 4344	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	95
PID 3556 wrote to memory of 4344	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	95
PID 3556 wrote to memory of 4344	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	95
PID 2472 wrote to memory of 2540	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	96
PID 2472 wrote to memory of 2540	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	96
PID 2472 wrote to memory of 2540	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	96
PID 1668 wrote to memory of 940	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	97
PID 1668 wrote to memory of 940	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	97
PID 1668 wrote to memory of 940	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	97
PID 1192 wrote to memory of 4364	1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	98
PID 1192 wrote to memory of 4364	1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	98
PID 1192 wrote to memory of 4364	1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	98
PID 3820 wrote to memory of 3892	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	99
PID 3820 wrote to memory of 3892	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	99
PID 3820 wrote to memory of 3892	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	99
PID 1668 wrote to memory of 628	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	100
PID 1668 wrote to memory of 628	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	100
PID 1668 wrote to memory of 628	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	100
PID 3556 wrote to memory of 2720	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	101
PID 3556 wrote to memory of 2720	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	101
PID 3556 wrote to memory of 2720	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	101
PID 2472 wrote to memory of 4256	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	102
PID 2472 wrote to memory of 4256	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	102
PID 2472 wrote to memory of 4256	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	102
PID 4344 wrote to memory of 2308	4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	103
PID 4344 wrote to memory of 2308	4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	103
PID 4344 wrote to memory of 2308	4344	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	103
PID 2540 wrote to memory of 4352	2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	104
PID 2540 wrote to memory of 4352	2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	104
PID 2540 wrote to memory of 4352	2540	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	104
PID 940 wrote to memory of 2584	940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	105
PID 940 wrote to memory of 2584	940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	105
PID 940 wrote to memory of 2584	940	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	105
PID 3820 wrote to memory of 116	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	107
PID 3820 wrote to memory of 116	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	107
PID 3820 wrote to memory of 116	3820	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	107
PID 1192 wrote to memory of 4192	1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	108
PID 1192 wrote to memory of 4192	1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	108
PID 1192 wrote to memory of 4192	1192	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	108
PID 4364 wrote to memory of 2260	4364	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	109
PID 4364 wrote to memory of 2260	4364	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	109
PID 4364 wrote to memory of 2260	4364	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	109
PID 3892 wrote to memory of 2256	3892	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	110
PID 3892 wrote to memory of 2256	3892	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	110
PID 3892 wrote to memory of 2256	3892	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	110
PID 2472 wrote to memory of 4028	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	111
PID 2472 wrote to memory of 4028	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	111
PID 2472 wrote to memory of 4028	2472	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	111
PID 3556 wrote to memory of 4576	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	112
PID 3556 wrote to memory of 4576	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	112
PID 3556 wrote to memory of 4576	3556	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	112
PID 1668 wrote to memory of 2696	1668	1e51fc2cc100ddb51b869c6ff81db7d0N.exe	113

C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
"C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        9⤵
        
        PID:20772
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:14228
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:20064
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:15320
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:13688
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:10352
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:22008
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:14720
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:10664
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:13868
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:9836
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:13148
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:18700
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:11804
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:16388
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:16416
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:11696
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14116
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:11256
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:16092
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:15412
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:21712
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:10780
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14972
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:12552
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9240
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:6944
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:12712
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:17888
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6796
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:12180
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16716
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8940
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5664
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17936
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:10188
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:13336
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:14204
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:20016
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:13996
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:10428
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:13408
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14628
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:8640
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9612
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:19560
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13020
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18456
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6852
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:12092
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16740
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12428
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17440
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:13072
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13456
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18996
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7560
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14656
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10220
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:4148
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14196
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:20024
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5324
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8540
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:15736
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11756
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6724
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12172
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16732
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:18264
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12340
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:17304
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:20708
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:14256
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:15432
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:14732
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:10368
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:22000
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14676
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20284
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:16928
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:11484
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16152
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6900
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:12064
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16676
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8872
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5680
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12472
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:19544
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13084
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18660
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7636
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:15372
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10288
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20624
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14320
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:20276
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8384
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:15720
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11208
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16024
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6892
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12728
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17900
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8760
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7040
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12480
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5008
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:19516
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13212
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18652
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7536
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:15364
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14276
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10256
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:22032
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14328
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:20292
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8492
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16136
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11536
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16160
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6788
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11820
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16520
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8744
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12352
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:17584
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:9956
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:19232
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:13700
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:19200
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:7624
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14704
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:10296
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:22048
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:14468
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:4532
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8436
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16576
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:11268
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16128
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:7056
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12720
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:17880
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5676
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:12704
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:17912
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5152
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:9804
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        8⤵
        
        PID:13280
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:13444
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:19164
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:15420
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:14784
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:10264
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:20848
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14188
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20132
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5244
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:13400
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:13696
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:10212
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:20780
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:14176
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20008
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:11812
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16408
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8712
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:5652
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17080
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:19536
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13060
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18708
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7608
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13892
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10280
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20632
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14384
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:20300
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8736
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18888
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12332
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17220
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12080
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16760
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8696
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17236
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:9756
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:17280
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:20856
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13748
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:15348
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13684
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10360
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20544
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14712
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:9908
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8408
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:16144
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11240
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16048
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6660
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:12056
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16648
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8688
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17592
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:10160
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:17228
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10012
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13120
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:13472
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:19068
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:7516
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:15380
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:21772
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:10248
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:20788
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:14212
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6348
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:9444
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6912
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12880
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:6716
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12196
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16748
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:8704
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:18716
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:112
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:17088
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:6268
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:9632
        
        C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        7⤵
        
        PID:19848
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:12960
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:18464
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:7644
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:3684
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13944
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10336
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:20484
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14604
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8420
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:5252
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:8392
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:15712
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11248
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16120
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:6620
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:11896
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:16584
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8680
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12276
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16772
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:10088
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:13152
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:13464
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:19076
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:7696
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:15388
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:14672
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:10344
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:13096
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:14592
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:18296
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8548
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:17096
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:11528
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16168
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:6804
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12488
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:13272
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:18760
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:12408
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:2020
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:9824
      - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        6⤵
        
        PID:19912
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:968
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:18692
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:7568
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:15304
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:21320
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:10204
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:13184
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:14220
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:20040
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:8400
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:15700
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:11416
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16100
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12040
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16656
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:8672
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:16724
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:12284
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:16896
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:9648
    - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
        5⤵
        
        PID:19772
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12932
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:4944
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:7508
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:15164
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:12436
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:10272
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:22016
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:14236
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:20032
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:9544
  - - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
      4⤵
      PID:19748
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:12940
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:18472
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  PID:7188
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:12748
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:18436
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  PID:9696
- - C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
    3⤵
    PID:19552
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  PID:13076
- C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e51fc2cc100ddb51b869c6ff81db7d0N.exe"
  2⤵
  PID:18568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish gang bang gay catfight feet 40+ (Karin).mpeg.exe

Filesize
688KB

MD5
00d60fd0769bcda065daa35660939960

SHA1
01f280197642b6b5eebf2fabcd64551c9537c72f

SHA256
28af0aaa25c3163607d5842a5aff64436b6b0a2953e54d13444ec3b0b3452780

SHA512
b3c1d6f550b419d028a542a47a17538c9c540c2bc52d797f6f2c465446d8a1bafe674418f26b49e2aaf5725c458e81997183234d00390b138dffa3884a5e0250

Download Submit